Where Has All My Spam Gone?

An anonymous reader writes "I have my own domain, which has its own email server, where I receive all my personal email. I've been getting about 800 emails a day, of which perhaps 20 are real. Suddenly, Sunday or Monday evening, the spam pretty much stopped. My volume of mail has plummeted to less than 100 a day, and as far as I can tell, I'm not missing any real mail — I'm still getting the email list subscriptions I'm expecting, and every time I ask someone to send me a test message, it gets through. My domain host insists that it doesn't do any spam filtering before mail gets to my inbox, and that they've changed nothing about their configuration. I run SpamAssassin on my server to mark, but not delete, spam, and download the whole mess to my home client, and I'm still seeing the occasional message tagged by SpamAssassin. But it's virtually all gone. And I haven't changed anything about my own mail configuration, or the harvestability of my site (my personal email has been harvestable for almost a decade). So what's going on? I can't believe that several major botnets would have vanished overnight. Any ideas?"

Hmm

[geminidomino]

*Checks mail logs*

Yeh, you need to ask the ISP again. No sign of slowing here.

Re:Hmm

[urbanriot]

Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.

Re:Hmm

[ElizabethGreene]

A group of the original SpamAssassin developers got together with a group of mercenaries and created SpammerAssassin. It's in alpha, and looks good except it seems to have started a teeny-tiny war in the eastern bloc. Oops. They have an open bug ticket on it.

:D

Re:Hmm

[Southpaw018]

Thirded over here. Solid 7000/day for months (small business).

Re:Hmm

[oldspewey]

Seriously though ... if spammers started turning up dead where would the police even begin their investigation? There's only a pool of what, half a billion suspects?

Re:Hmm

[VenomPhallus]

Yup, and here; still getting 250 a day+ or so.

Maybe they finally clicked that you've already got a huge penis and legendary bedroom performance?

Re:Hmm

[tha_mink]

Perhaps the botnets are busy fighting amongst themselves, vis a vis the Georgia v. Russia conflict.

Re:Hmm

[y86]

Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.

You should REALLY consider trying postgrey.

http://postgrey.schweikert.ch/

Postgrey on non whitelisted servers rejects the first mail attempt with a fail. The sending email server will retry X times, but the 2nd time it accepts it and adds the server to the whitelist.

Postgrey will add a 5 minute lag to an email that's sending server has never sent an email to you. It's worth it to screw the spammers zombies over IMHO.

Also, I would check your postfix/whatever you are using for a mail servers policy. I get 0 spam emails now and my address is posted all over the web.

I do have spamassassin running as well with sieve filtering to put what is marked as spam in a junk folder but the junk folder is empty, every now and then I'll see something -- but very rarely. Like once every 2 months.

Here's my spam prevention system :-)

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_destination,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    check_policy_service inet:127.0.0.1:60000

Re:Hmm

[skolima]

+1 Insightful or +1 Funny? Tough call..

Re:Hmm

[Like2Byte]

Perhaps the botnets are busy fighting amongst themselves, vis a vis the Georgia v. Russia conflict.

Ok, Agent Mulder, settle down.

Re:Hmm

[xtinct]

yeah, that guy got arrested & sentenced to minimum security prison.

then he proceeded to escape, kill his wife & baby daughter (a teenager escaped) and then himself.

pretty crazy, no?: http://www.dailycamera.com/news/2008/jul/26/spam-king-murder-suicide-surviving-daughter-in/

Re:Hmm

The Russian spammers can't get bandwidth because the military is busy using it against Georgia.

Re:Hmm

[j-cloth]

A huge second to PostGrey. It kills 90% of my incoming spam before it even touches spamassassin. However, I have noticed a few people who receive failure messages from their mail systems telling them that they've been greylisted before the mail goes through. Then uppy-ups whine to me.

Re:Hmm

[swb]

There's something to that, even if the original poster's claim of not having spam anymore is local to him through unknown upstream changes.

Its long been suspected that the Russian government and Russian organized crime have cooperative links, if not outright overlapping "membership" (Putin is FSA/KGB, and its well known that ex-KGB members have been deeply involved in the Russian Mafia).

With this in mind, its not hard to speculate that if botnets controlled by Russian organized crime were put use against pro-Georgian assets, the ensuing defenses, publicity and exposure at the political/military level could possible cause these botnets to be far more vulnerable than they otherwise would be in the course of normal criminal activity.

This higher level exposure might lead to weakening them and reduce their effectiveness at normal tasks like spam.

Its also possible they may also be overutilized and prioritized for cyberwarfare and not for spam.

Re:Hmm

[Random+BedHead+Ed]

Oh ... so you're address is bill@billrocks.org? Interesting ...

Re:Hmm

[Random+BedHead+Ed]

Not sure if we've exchanged comments before, but I have some genuine replica watches of the finest quality.

Re:Hmm

[Random+BedHead+Ed]

Also, visit my Canadian Pharmacy online drugstore to choose from a great selection of products of high quality produced according to the strict pharmaceutical standards.

Re:Hmm

[DriedClexler]

After I read this article yesterday (single page), that's what I thought: given all the spammers that are Russian, there's a chance there might be a slowdown in spam as patriotic Russians "pitch in" by helping DDOS Georgian resources.

It's pretty amazing if you read that article how easy it was for just an average person to find out how to "volunteer" for the Russian army: independent helpers have made it so you can find out which Georgian sites you should ping in order to maximize your effectiveness, and have programs that you can download that do most of the work with minimal hassle.

However:

a) According to most posters, spam hasn't actually abated.
b) Spammers wouldn't do something as selfless as pitching in for their country.

Re:Hmm

[TTURabble]

So Saakashvili is getting 100 emails a minute about pen1s enlargement?

Re:Hmm

[wmbetts]

I use to read a lot of not so nice forums when I was really into Info Sec and I always heard them referred to as "The Russian Business Network"

Re:Hmm

[christianT]

IIRC SpammerAssassin is built on JBASH (Jason Bourn Again Shell)

Re:Hmm

[protolith]

is also getting far less spam now for a couple weeks

I think that's about to change.

Re:Hmm

[Lazyrust]

I would be happy to purchase those genuine watches but first I would need your assistance in moving a large sum of money out of the country of Nigeria. It seems that a rich uncle of mine has passed away this year and unfortunately his wife is unable to accept the money due to governmental restrictions. Therefore, if you would be willing in assisting me in transferring the sum of $5,000,000,000,000,000.00 I will be happy to give you 10% in return for your time and effort. In addition I will purchase all of your fine genuine replica watches of the highest quality. In addition, I will be in need of a great selection of products of high quality from your canadian pharmacy online drug store. Therefore, if you would be willing to send me your name, address, bank name and account number via email, I will be able to begin processing this information with his bank and will contact you shortly by international certified mail.

Thank you for your time.

Re:Hmm

[Hatta]

Its long been suspected that the Russian government and Russian organized crime have cooperative links, if not outright overlapping "membership"

What is a government anyway but the most successful group of thugs imaginable?

Re:Hmm

[epee1221]

So, something of a modernized letter of marque?

I'm getting it

[digitrev]

My spam has tripled over the past few days. So I'm not getting all of it, but I'm getting a chunk of it.

Re:I'm getting it

[ShadowBlasko]

Heh, we've got a virus running around the site lately that is titled "CNN Gold Medal tracker".

Sneaky ...

Re:I'm getting it

[SatanicPuppy]

We've been getting a lot of "reverse spam"...The organizational emails are necessarily public, so some enterprising Russian has harvested the entire set and is using them as "REPLY-TO" addresses, so we get all the bounce messages from their damn spamming.

It's all the fun of having an exploited mail server without actually having an exploited mail server. The mail doesn't actually come from us so we're not having any blacklist problems, but the floods of bounce messages zip right through the spam filters and piss off the users.

Re:I'm getting it

[KillerBob]

I've seen a huge increase in both spam and particularly spam that makes it past my spam filter.

It's an arms race. They come out with a new message that tricks the filters into thinking it's real. The filters update and adapt. They rethink things and come out with a new junk message which sometimes succeeds, sometimes doesn't. When they find one that works, I start getting spam again until the filters adapt. Ad nauseum.

I've got my SpamAssassin filters set to update on a daily cron job, and it's always the same... Every week or two, I get a handful of spam messages getting past the filters. They're all basically the same. And it lasts for about a day before I stop getting spam again. So it comes in bursts for me, every time the spammers rethink the message they send out.

I've had my domain, and the same e-mail address for half a decade. My IP address did recently change when I moved into a new colo, but all of the DNS has updated already, so the spammers still know who I am. It's annoying. But it is manageable.

Re:I'm getting it

[nabsltd]

Don't you hate it that you have to deal with this sort of thing because some other mail server isn't configured correctly?

If all mail servers instituted the policy of "reject...don't accept then bounce", then there wouldn't be any blowback spam. Unfortunately, there is some MTA software that can't do the right thing without non-standard add-ons (qmail, I'm looking at you).

Re:I'm getting it

[petermgreen]

and you will block quite a few legit bounces too for two reasons

1: 12 hours is nowhere near long enough
2: the message may be routed through multiple servers before finally getting bounced.

Okay

[morgan_greywolf]

And you're complaining because .... ?

Re:Okay

[kinzillah]

Perhaps he'd like to leave it to systems he controls? I, for one, would rather a third party weren't silently dropping mail that could be false positives.

Re:Okay

[qortra]

He isn't complaining. It isn't wrong to ask questions when things unexpectedly go well.

Re:Okay

[camperdave]

And you're complaining because .... ?

Without having the spam to process, the server doesn't run as hot as it's "supposed to". This causes a power imbalance, sending more current to the other servers and tripping breakers. Also, because of the lack of that heat, the server room is too cold. The UPS batteries are not storing enough of a charge as they are less efficient when they're cold. If a power sag, brownout, or blackout happens during one of these spam free moments, well, the results could be catastrophic.

Re:Okay

[rbane3]

I carry mace with me to mark, but not stop, my raper, and I'm still seeing the occasional rapper tagged by mace. But they're virtually all gone.

I see what you did there! Subtle insight of your views concerning the Hip Hop "artist"?

Re:Okay

[Hektor_Troy]

Mace? Screw maze.

Flurescent green spray paint is much better. Not only will you keep your assailant off of you, but you will also make it REALLY easy to pick him out of a line-up later.

Police: "Can you identify the guy who jumped you?"
Victim: "He's the green faced guy, crying on the corner about being blind."

Did you install Skynet 1.0?

[bugeaterr]

Did you install Skynet 1.0?

Hey, what's that siren going off for....

Because...

[Capt+James+McCarthy]

When spammers took over your box, they didn't want to flood it with their own mail.

One down

[canderley]

Per Ars, a 100,000 machine bot net was shut down recently. http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html

Re:One down

[bearl]

Did you read the article? "...as the messages and phishing hooks were all sent in Dutch,..."

Since the original poster didn't mention what portion of his spam was arriving written in DUTCH, we can't say for sure, but it appears, as the article says (up near the top too!), this botnet, while large, was almost completely confined to the Netherlands.

I'll save you the reply too, should you go back and read the article, the rest of the sentence I quoted above says "...but had apparently infected some US systems as well, as the FBI is credited for assisting on the case." However it does say that ALL the messages were sent in Dutch.

Probably not our boy's spam.

Oops...

[bhamlin]

Sorry, we've been down for maintenance and it's taking a lot longer than we originally planned. You can expect normal service to resume by next monday.

Shadow botnet was killed recently

[Nimey]

http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html

That may account for some of it.

So it's become real...

[Seakip18]

Spam Assassin is actually assassinating spam.

On another note, has anyone heard from cousin who is a Nigerian prince? He hasn't called in days and we're beginning to get worried.....

those chinese spam factories are shut down ...

... to save the health of the athletes.

The Russians are busy in Georgia...

[NMBob]

...and the Chinese are busy watching 13-year olds win gold metals. Bob

We Can Test

[awitod]

We're happy to help you solve this mystery.
What is your email address?

We got bored of the joke

[Bogtha]

Okay, here's the thing: nobody but you ever got spam. We all just thought it would be funny to fool you into thinking there was some kind of worldwide scamming epidemic. You don't seriously think people would be stupid enough to buy pills off strangers who email them out of the blue, do you? I thought we'd gone a bit too far and stretched the limits of credibility when we came up with the idea for the Nigerian scams, but I was wrong, you even fell for that! Nobody is stupid enough to send all their money to a "Nigerian prince".

Anyway, enough's enough. The joke's stale now, so we decided to stop sending it all to you.

Spam has relatively few sources

[Toe,+The]

A large chunk of spam comes from a very small group of spammers. It may just be that you are only targeted by one of them, and he took a break recently.

Hang in there... he'll come back from vacation soon, and you'll be able to mortgage your penis to Nigeria again.

Re:Exactly.

[Arimus]

Assuming a third party isn't dropping your email... if they are then that's almost as bad the spam deluge - I'd rather be the one to decide what is spam than a third party who may or may not have a clue.

I can kinda confirm this.

[suso]

I run a web hosting company and over the past couple weeks I've had a few customers report that the amount of spam has dropped. Of course, they thought that this was something wrong, but I couldn't find any evidence of increased failures, it was just that there was slightly less mail coming in.

Botnets current tasked to higher priority jobs

[Wrath0fb0b]

http://it.slashdot.org/article.pl?sid=08/08/12/191255&from=rss
http://bits.blogs.nytimes.com/2008/08/11/georgia-takes-a-beating-in-the-cyberwar-with-russia/

When the crisis abates, I expect the botnets will be returned to their regularly scheduled duties. Quite a versatile tool those botnets -- pimping V!agr4, collapsing government sites, enhancing the male doodad, distributing pr0n, bullying your neighbors (http://news.bbc.co.uk/2/hi/europe/6665145.stm). For the cost of one M1A1 tank tread, Putin bought himself a whole lot of firepower.

Advantage: Putin.

headless botnets

[Lord+Ender]

We've been seeing botnets changing desktop background to an image alerting people that they are infected with a virus. Obviously a real spam botnet operator would not alert people like that.

My theory is that some grayhat wrested control of a major botnet, and is shutting it down from the source (and alerting the victims in the process).

We Apologize

[Sloppy]

Dear Sir,
We humbly apologize for the interruption in service. Please reply with your email address and our technical staff will get back to you.

Re:Exactly.

[Minwee]

I, on the other hand, consider sudden, dramatic, and completely unexplained changes to the operation of systems under my control to be a reason to worry.

I'm just funny that way.

Re:I can forward you some of mine if that helps...

[Noexit]

That might actually be a not bad idea. Sending him something that can be confirmed as having been sent, and as being spammy.

Re:we are all doooomed

[Ethanol-fueled]

Naw, just that the Russians have shifted all their botnets' attacks toward Georgia.

Re:Exactly.

[Bandman]

Amen.

It's like we speak the same language.

Change is good. Unexpected change is very, very bad.

Try forwarding spam through ISP

[IceCreamGuy]

Maybe you could forward some spam from, say, a gmail account to your address in question. If it doesn't make it through to your server then you have a definitive record to confront your ISP with. Or, if they do get through, maybe you should buy a lottery ticket because your the luckiest admin on slashdot!

Black Hat

[machine321]

They all just got back from Black Hat / Defcon, and they're still hung over.

Re:Check

[MPAB]

I find your lack of spam disturbing ...

Infected PC are offline during summer ^_^

[Kirys]

Most spam is sent by bot-nets, mostly composed by infected pc of workplaces, school and private homes. In many countries during the second and third week of August many schools and workplaces are closed so their pc are just turned off, this mean that the bot-nets have less active nodes and so are less effective. I do receive less spam too but I think that it will be back to the sad old amount at the end of the summer :(

Something did change...

[r_cerq]

I've just checked my work's logs (an ISP). The number of hits in the spam taggers fell from 12/sec to 3/sec earlier this week.

So either we're identifying less spam, or there is in fact less of it.

Already going on.

[Medievalist]

Seriously though ... if spammers started turning up dead where would the police even begin their investigation? There's only a pool of what, half a billion suspects?

Spammers and virus writers employed by spammers to create their zombie pools have been turning up dead for almost two years now.